#!/usr/bin/env python1###############################################################################2#3# CoCalc: Collaborative Calculation in the Cloud4#5# Copyright (C) 2016, Sagemath Inc.6#7# This program is free software: you can redistribute it and/or modify8# it under the terms of the GNU General Public License as published by9# the Free Software Foundation, either version 3 of the License, or10# (at your option) any later version.11#12# This program is distributed in the hope that it will be useful,13# but WITHOUT ANY WARRANTY; without even the implied warranty of14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the15# GNU General Public License for more details.16#17# You should have received a copy of the GNU General Public License18# along with this program. If not, see <http://www.gnu.org/licenses/>.19#20###############################################################################21222324# This script is run by /etc/rc.local when booting up. It does special configuration25# depending on what images are mounted, etc.2627import os, socket, sys2829hostname = socket.gethostname()3031if hostname.startswith("salvus-base"):32# no special config -- this is our template machine33sys.exit(0)3435if hostname.startswith('devel'):36os.system('/root/ip_blacklist/block.sh')3738# do NOT want this node on tinc network -- that messes up bup server, making it listen only externally, etc.39os.system("killall tincd")40# And make sure tinc can't be started, which would happen later, and is a potential security hole -- this deletes the trusted private key.41os.system("rm -rf /home/salvus/salvus/salvus/data/local/etc/tinc/")4243# mount pool and start bup44os.system("zpool import -f pool; zfs mount -a; chmod og-r /projects; su - salvus -c 'cd /home/salvus/salvus/salvus/&& . smc-env&& export BUP_POOL=\"pool\"; ./bup_server start'")45# replace this secret by something harmless (don't just delete since hub.coffee assumes file exists)46os.system('echo ""> /home/salvus/salvus/salvus/data/secrets/cassandra/hub')4748# devel machines don't need this password...49os.system('echo ""> /home/salvus/salvus/salvus/data/secrets/sendgrid_email_password')5051# setup a fake pem52os.system("cp /home/salvus/salvus/salvus/data/secrets/sagemath.com/nopassphrase.pem.fake /home/salvus/salvus/salvus/data/secrets/sagemath.com/nopassphrase.pem")5354# Copy over newest version of certain scripts and set permissions55for s in ['bup_storage.py']:56os.system("cp /home/salvus/salvus/salvus/scripts/%s /usr/local/bin/; chmod og-w /usr/local/bin/%s; chmod og+rx /usr/local/bin/%s"%(s,s,s))5758if hostname.startswith('compute'):59# Delete secrets that aren't needed for the *compute machines* (only web machines)60os.system('rm -rf /home/salvus/salvus/salvus/data/secrets/')6162if False:63# Store crontabs in persistent storage, so they don't vanish on VM restart64# disabled -- need to do something that takes into account how projects can move.65if not os.path.exists("/mnt/home/crontabs/"):66os.system("mkdir -p /mnt/home/crontabs/; chmod a+rx /mnt/home/; chgrp crontab /mnt/home/crontabs; chmod 1730 /mnt/home/crontabs")67os.system("cd /var/spool/cron/; rm -rf crontabs; ln -s /mnt/home/crontabs .")6869# Copy over newest version of certain scripts and set permissions70for s in ['bup_storage.py']:71os.system("cp /home/salvus/salvus/salvus/scripts/%s /usr/local/bin/; chmod og-w /usr/local/bin/%s; chmod og+rx /usr/local/bin/%s"%(s,s,s))727374# Start the bup storage server:75os.system("umount /projects; umount /bup/conf; umount /bup/bups; zpool import -f bup; zfs set mountpoint=/projects bup/projects; chmod og-r /projects")76# It's critical to start tinc *after* the above ZFS pools are mounted (so we don't get rsync'd), but before we start bup_server (which needs to know the tun0 address)77os.system("nice --19 /home/salvus/salvus/salvus/data/local/sbin/tincd")7879os.system("su - salvus -c 'cd /home/salvus/salvus/salvus/&& . smc-env&& ./bup_server start'")80# Install crontab for snapshotting the bup pool, etc.81os.system("crontab /home/salvus/salvus/salvus/scripts/root-compute.crontab")8283# Start our low-level iptables mostly-outgoing-blocking firewall84os.system('cd /root/smc-iptables; ./restart.sh')8586# Lock down some perms a little, just in case I were to mess up somehow at some point87os.system("chmod og-rwx -R /home/salvus/&")888990if hostname.startswith('cassandra'):91# Delete data that doesn't need to be on this node92os.system("rm -rf /home/salvus/salvus/salvus/data/secrets/")93# import and mount the relevant ZFS pool -- do this blocking, since once the machine is up we had better94# be able to start cassandra itself.95os.system("zpool import -f cassandra ")9697# set clearly permissions constraints: see -- http://www.datastax.com/docs/1.1/install/recommended_settings98open("/etc/security/limits.conf","w").write("""99* soft memlock unlimited100* hard memlock unlimited101* soft nofile 32768102* hard nofile 32768103* soft as unlimited104* hard as unlimited105""")106107os.system("sysctl -w vm.max_map_count=131072")108109# Ensure no swap: http://www.datastax.com/docs/1.1/install/recommended_settings110os.system("swapoff --all")111112if hostname.startswith('compute'):113# Create a firewall so that only the hub nodes can connect to things like ipython and the raw server.114os.system("/home/salvus/salvus/salvus/scripts/compute_firewall.sh")115116117118119120121122123